Welcome to DBSTalk

Welcome to DBSTalk. Our community covers all aspects of video delivery solutions including: Direct Broadcast Satellite (DBS), Cable Television, and Internet Protocol Television (IPTV). We also have forums to discuss popular television programs, home theater equipment, and internet streaming service providers. Members of our community include experts who can help you solve technical problems, industry professionals, company representatives, and novices who are here to learn.

Like most online communities you must register to view or post in our community. Sign-up is a free and simple process that requires minimal information. Be a part of our community by signing in or creating an account. The Digital Bit Stream starts here!

08/07/12—The IC3 has been made aware of a new Citadel malware platform used to deliver ransomware named Reveton. The ransomware lures the victim to a drive-by download website, at which time the ransomware is installed on the user’s computer. Once installed, the computer freezes and a screen is displayed warning the user they have violated United States federal law. The message further declares the user’s IP address has been identified by the Federal Bureau of Investigation as visiting websites that feature child pornography and other illegal content.

To unlock the computer, the user is instructed to pay a fine to the U.S. Department of Justice using a prepaid money card service. The geographic location of the user’s IP address determines what payment services are offered. In addition to the ransomware, the Citadel malware continues to operate on the compromised computer and can be used to commit online banking and credit card fraud.

This is an attempt to extort money with the additional possibility of the victim’s computer being used to participate in online bank fraud. If you have received this or something similar, do not follow payment instructions. Infected computers may not operate normally. If your computer is infected, you may need to contact a local computer expert for assistance to remove the malware.

It is suggested that you:

■File a complaint at www.IC3.gov.■Seek out a local computer expert to assist with removing the malware.

Once installed, the computer freezes and a screen is displayed warning the user they have violated United States federal law. The message further declares the user’s IP address has been identified by the Federal Bureau of Investigation as visiting websites that feature child pornography and other illegal content.

Aw, shucks, my computer screens have been displaying warnings like that for years. They even use the same language that's been on the arrest warrants.

An operation to break up a ransomware network estimated to be worth one million euros a year has been successful.

European police agency Europol says that Spanish police, working alongside the European Cybercrime Centre (EC3), have broken up a gang which allegedly ran a ransomware scheme which demanded money from online users in 30 countries.

Not saying that these shouldn't be prosecuted, but of course someone else just pops up. From watching the Tech Guy a weekend or two ago, people were still getting hit with this type of thing very recently.

Boot up in safe mode and use system restore. Worked for me after one of my nephews somehow caused my PC. to become infected. Make sure to run malwarebytes and scan for viruses after you do system restore to make sure it's gone for good.

Not saying that these shouldn't be prosecuted, but of course someone else just pops up. From watching the Tech Guy a weekend or two ago, people were still getting hit with this type of thing very recently.

An unusual new strain of ransomware makes good on its threat, doing what the majority of other varieties only claim to do. The Trojan actually encrypts data on infected machines, effectively rendering certain files inaccessible to users on compromised computers in order to block removal.

According to the report, upon execution, the malware randomly spawns either ctfmon.exe or svchost.exe and injects its own code there. The injected system process then reportedly executes a copy from the %TEMP% folder, creating ctfmon.exe or svchost.exe child processes with the injected code, which is apparently where things take a turn for the interesting.

First the malware generates a unique computer ID, then it uses that ID and the fixed string “QQasd123zxc” to produce an encryption key with crypto API functions like “advapi32!CryptHashData” and “advapi32!CryptDeriveKey” so that the attacker can create the same key each time he uses that string. Now the malware sends requests with the computer ID back to its command and control server, encrypting its communications on the server with the first key and allowing the Trojan to decrypt them on the infected computers.

Next, a second key is created using “advapi32!CryptGenKey.” Blinka explains that this function will create a random key each time it is used and cannot be recreated (unlike the first). From here, an RSA 2 blob is exported from the second key and encrypted by the first before being encoded by base64 and send back to the C&C server, paired in the attackers database with the computer ID.

Lastly, the list of files that the malware wants to encrypt is determined, and they are encrypted by “advapi32!CryptEncrypt” using the second key before the well-known ransom note shows up on a victim’s locked screen.

Some of the newer versions ‘lock’ the computer by encrypting key parts of the operating system and making it unusable. But, continued Corrons, “As some antivirus could break the encryption and release the files, the criminals changed to a more sophisticated technique using server-based encryption; and the only way to decrypt files in this state is to get the key from the criminals. So even if you remove the infection, you have still lost all your information.”

Variants of this malware are infecting computers in Europe and they are devilishly sophisticated. They encrypt all the files on the hard drive. This prevents the owner from accessing them until the ransom is paid to get the decryption key.

“The bad guys have improved the nastiness of this attack,” said Chester Wisniewski, a senior security advisor at SophosLabs. “They basically steal all of your documents and lock them in a vault. And only they have the key.”

Earlier variants used symmetric encryption, which is relatively easy to break. These use asymmetric encryption, which uses a public/private keypair. These are a helluva lot more difficult to break - actually impossible using the technology that most of us can get our hands on

Looks like today's "Security Now" podcast with Leo Laporte and Steve Gibson is one where they talk to Brian Krebs, and partially deals with ransom ware. Krebs has been able to infiltrate this underground.

Listening to the podcast now, very interesting on how the business of this stuff actually works. I didn't really realize when you buy an exploit kit, it could com with a license agreement that it could only be used against a particular domain, with add on packs and tech support.

For AV, I like Kaspersky. I generally don't like the suites (from anyone). But just as important (maybe even more so), is keeping everything updated. I like a free program called PSI from Secunia. It keeps track of all your software and tells you when a security update comes out, when it is end of life etc.

AV is a part of online security, but cannot be the only aspect. If malware can use a vulnerability to get in, AV can be powerless to stop it. It's not enough to just say, don't go to sketchy sites. While those of course can make you a target, malware can wind up on legit sites, either due to the site itself being compromised, or through an ad. A subsite of the LA Times had malware for 6 weeks recently.

dpeters - you're right on the money recommending PSI. Great product, highly recommended.

satcrazy - that may or may not work. If the last backup had the malware present, but not active, you'd end up restoring the malware too. These aren't lonely high school kids trying to crash your PC - they're organized criminals that hire professionals to commit crime. Kaspersky is good, and I've used Eset too. The ones I really don't like are McAffee and Norton - they come with a lot of bloat and have a big memory footprint.

It's also a good idea to run something like Malwarebytes once in a while. And, if you're on Windows, be sure to run the "Malicious Software Removal" tool that comes down as part of Windows Update monthly.